Fail2ban not ban IP Base on Rule RECIDIVE

lesliecn · June 14, 2022, 8:25am

Hi
I got problem somebody keep scan my email account on Exim

Here is the Log

2022-06-14 01:01:34 dovecot_login authenticator failed for ([141.98.11.37]) [141.98.11.37]: 535 Incorrect authentication data (set_id=info)
2022-06-14 01:02:06 dovecot_login authenticator failed for ([45.125.66.55]) [45.125.66.55]: 535 Incorrect authentication data (set_id=scan)

fail2ban config for RECIDIVE was

[recidive]
enabled = true
filter = recidive
action = hestia[name=RECIDIVE]
logpath = /var/log/fail2ban.log
maxretry = 3
findtime = 4d
bantime = 14d

then I check fail2ban.log
a log of Records like this

2022-06-14 15:45:57,187 fail2ban.filter [462908]: INFO [exim-iptables] Found 45.125.66.22 - 2022-06-14 15:45:57
2022-06-14 15:48:24,662 fail2ban.filter [462908]: INFO [exim-iptables] Found 45.125.66.55 - 2022-06-14 15:48:24
2022-06-14 15:58:14,743 fail2ban.filter [462908]: INFO [exim-iptables] Found 91.224.92.110 - 2022-06-14 15:58:14
2022-06-14 15:58:57,996 fail2ban.filter [462908]: INFO [exim-iptables] Found 45.125.66.24 - 2022-06-14 15:58:57
2022-06-14 16:04:28,628 fail2ban.filter [462908]: INFO [exim-iptables] Found 45.125.66.55 - 2022-06-14 16:04:28
2022-06-14 16:04:32,633 fail2ban.filter [462908]: INFO [exim-iptables] Found 45.125.66.22 - 2022-06-14 16:04:32

so I guessing exim filter working good on fail2ban because fail2ban.log showing exim-iptables found IP

I check below command by ssh
fail2ban-regex /var/log/fail2ban.log /etc/fail2ban/filter.d/recidive.conf --print-all-matched

got some match
like this

|- Matched line(s):
| 2022-06-12 05:38:54,266 fail2ban.actions [672]: NOTICE [dovecot-iptables] Ban 156.96.154.218
| 2022-06-12 17:32:11,357 fail2ban.actions [672]: NOTICE [dovecot-iptables] Ban 45.85.190.248
| 2022-06-13 03:35:15,159 fail2ban.actions [672]: NOTICE [dovecot-iptables] Ban 156.96.46.101
| 2022-06-13 05:32:15,471 fail2ban.actions [672]: NOTICE [dovecot-iptables] Ban 107.182.128.175
| 2022-06-13 10:55:24,842 fail2ban.actions [672]: NOTICE [dovecot-iptables] Ban 45.85.190.81
| 2022-06-14 01:53:00,730 fail2ban.actions [672]: NOTICE [dovecot-iptables] Ban 195.133.16.35
| 2022-06-14 11:52:35,427 fail2ban.actions [462908]: NOTICE [exim-iptables] Ban 87.237.52.202

My question is I can’t see any Banned IPS in this page domain.com/list/firewall/banlist/

kind regards

eris · June 14, 2022, 8:41am

What happens when you run v-list-firewall-ban in command line?

lesliecn · June 15, 2022, 1:23am

Hi Eris
Thanks your reply, here is v-list-firewall-ban

v-list-firewall-ban
IP CHAIN TIME DATE

5.34.207.161 RECIDIVE 10:00:06 2022-06-14
5.34.207.59 RECIDIVE 10:00:06 2022-06-14

still got a lot ip address unban in fail2ban.log

2022-06-15 07:58:48,638 fail2ban.filter 2022-06-15 07:58:57,850 fail2ban.filter 2022-06-15 07:59:37,895 fail2ban.filter 2022-06-15 08:11:55,539 fail2ban.filter 2022-06-15 08:15:21,047 fail2ban.filter 2022-06-15 08:19:23,443 fail2ban.filter 2022-06-15 08:21:20,184 fail2ban.filter 2022-06-15 08:22:41,133 fail2ban.filter 2022-06-15 08:22:42,285 fail2ban.filter 2022-06-15 08:23:03,114 fail2ban.filter 2022-06-15 08:31:31,636 fail2ban.filter 2022-06-15 08:33:27,260 fail2ban.filter 2022-06-15 08:39:10,926 fail2ban.filter 2022-06-15 08:47:23,179 fail2ban.filter 2022-06-15 08:51:11,482 fail2ban.filter 2022-06-15 08:51:14,724 fail2ban.filter 2022-06-15 08:51:16,689 fail2ban.filter 2022-06-15 08:51:33,913 fail2ban.filter 2022-06-15 08:51:40,121 fail2ban.filter 2022-06-15 08:59:03,184 fail2ban.filter 2022-06-15 09:08:29,854 fail2ban.filter 2022-06-15 09:08:31,306 fail2ban.filter 2022-06-15 09:08:42,522 fail2ban.filter 2022-06-15 09:09:54,615 fail2ban.filter 2022-06-15 09:11:05,300 fail2ban.filter 2022-06-15 09:14:19,147 fail2ban.filter [462908]: INFO [exim-iptables] Found 196.50.192.64 - 2022-06-15 07:58:48
[462908]: INFO [exim-iptables] Found 122.160.103.161 - 2022-06-15 07:58:57
[462908]: INFO [exim-iptables] Found 91.224.92.110 - 2022-06-15 07:59:37
[462908]: INFO [exim-iptables] Found 45.125.66.22 - 2022-06-15 08:11:55
[462908]: INFO [exim-iptables] Found 45.125.66.24 - 2022-06-15 08:15:20
[462908]: INFO [exim-iptables] Found 91.224.92.110 - 2022-06-15 08:19:23
[462908]: INFO [exim-iptables] Found 45.125.66.55 - 2022-06-15 08:21:20
[462908]: INFO [dovecot-iptables] Found 218.21.254.3 - 2022-06-15 08:22:40
[462908]: INFO [exim-iptables] Found 218.21.254.3 - 2022-06-15 08:22:42
[462908]: INFO [exim-iptables] Found 81.246.47.178 - 2022-06-15 08:23:03
[462908]: INFO [exim-iptables] Found 45.125.66.22 - 2022-06-15 08:31:31
[462908]: INFO [exim-iptables] Found 45.125.66.24 - 2022-06-15 08:33:27
[462908]: INFO [exim-iptables] Found 91.224.92.110 - 2022-06-15 08:39:10
[462908]: INFO [exim-iptables] Found 45.125.66.55 - 2022-06-15 08:47:23
[462908]: INFO [exim-iptables] Found 45.125.66.22 - 2022-06-15 08:51:11
[462908]: INFO [dovecot-iptables] Found 45.236.200.29 - 2022-06-15 08:51:14
[462908]: INFO [exim-iptables] Found 45.236.200.29 - 2022-06-15 08:51:16
[462908]: INFO [exim-iptables] Found 121.242.15.28 - 2022-06-15 08:51:33
[462908]: INFO [exim-iptables] Found 45.125.66.24 - 2022-06-15 08:51:40
[462908]: INFO [exim-iptables] Found 91.224.92.110 - 2022-06-15 08:59:03
[462908]: INFO [dovecot-iptables] Found 103.85.97.124 - 2022-06-15 09:08:29
[462908]: INFO [exim-iptables] Found 103.85.97.124 - 2022-06-15 09:08:31
[462908]: INFO [exim-iptables] Found 45.163.68.137 - 2022-06-15 09:08:42
[462908]: INFO [exim-iptables] Found 45.125.66.24 - 2022-06-15 09:09:54
[462908]: INFO [exim-iptables] Found 45.125.66.22 - 2022-06-15 09:11:05
[462908]: INFO [exim-iptables] Found 45.125.66.55 - 2022-06-15 09:14:19

seem filter rule no problem ,and only two ip address on banned IPs Lists